From 4bc204925a7b154f243e4702e1729df8c99a725d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20R=2E=20de=20Miranda?= <andre@miranda.work>
Date: Mon, 20 May 2019 15:27:15 -0300
Subject: [PATCH] Error in nginx when starting registry-proxy (#4785)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Error starting nginx because in requiredDropCapabilities is dropped all capabilities.

The nginx requires the following capabilities:
- CHOWN
- SETGID
- SETUID

Signed-off-by: André R. de Miranda <andre@miranda.work>
---
 .../registry/templates/registry-proxy-psp.yml.j2      | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
index e73711a95..c7375336a 100644
--- a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
@@ -17,7 +17,16 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   requiredDropCapabilities:
-    - ALL
+    - SETPCAP
+    - MKNOD
+    - AUDIT_WRITE
+    - NET_RAW
+    - DAC_OVERRIDE
+    - FOWNER
+    - FSETID
+    - KILL
+    - SYS_CHROOT
+    - SETFCAP
   volumes:
     - 'configMap'
     - 'emptyDir'
-- 
GitLab